Krebs on Security

In-depth security news and investigation

Yahoo: One Billion More Accounts Hacked

Just months after disclosing a breach that compromised the passwords for a half billion of its users, Yahoo now says a separate incident has jeopardized data from at least a billion more user accounts. The company also warned attackers have figured out a way to log into targeted Yahoo accounts without even supplying the victim’s password.

On September 22, Yahoo warned that a security breach of its networks affected more than 500 million account holders. Today, the company said it uncovered a separate incident in which thieves stole data on more than a billion user accounts, and that the newly disclosed breach is separate from the incident disclosed in September.

“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts,” Yahoo’s chief information security officer Bob Lord said in a statement the company published Wednesday afternoon. “We have not been able to identify the intrusion associated with this theft.”

The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

In addition, Lord said the attackers had worked out a way to forge “cookies” that Yahoo places on user computers when they log in. Authentication cookies are text files that contain information about the user’s session with Yahoo. Cookies can contain a great deal of information about the user, such as whether that the user has already authenticated to the company’s servers.

The attackers in this case apparently found a way to forge these authentication cookies, which would have granted them to access targeted accounts without needing to supply the account’s password. In addition, a forged cookie could have allowed the attackers to remain logged into the hacked accounts for weeks or indefinitely.

Yahoo’s statement said the company is in the process of notifying the affected account holders, and that it has invalidated the forged cookies.

“We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016,” Lord said.

Yahoo says users should change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo account. The company is asking users to review their accounts for suspicious activity, and to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.

For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation.

Most importantly, if you are reusing your Yahoo password anywhere else, now is a great time to change those passwords. And remember, never reuse your email password (or any other password tied to an account that holds sensitive data about you) at any other site.

This entry was posted on Wednesday, December 14th, 2016 at 6:12 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

81 comments

The real question is who are the lazy software developers working at Yahoo, a company that has made zer0 innovations in the last decade. At one point they dominated the messenger business, and they couldn’t make anything out of it, the software remained slow, buggy, user-unfriendly. All these developers not only need to be fired, they need to change their professions all together. They got no business in the technology industry.

While changing my Yahoo mail password (yes, I still have a Yahoo mail account, although with all traffic forwarded elsewhere), I got this Yahoo error:

“Your password is too similar to the one you’ve used previously”

(And no, it wasn’t a “Enter old password/Enter new password” change form: only the new password was requested)

How does Yahoo know the relationship between old and new passwords, unless Yahoo has saved my password somewhere in some reversible, non-hashed way? Buried in the Yahoo cookie on my PC? Living on the Yahoo servers?

The typical way this is done, is by comparing the MD5 of the password hash. The MD5 hash of your passwords are stored. When you type in a new password, the system hashes it, compares it to the last N number of passwords stored. If the hashes match, it is the same.

But comparing hashes won’t get you anywhere as far as password SIMILARITY is concerned, which according to the OP is what the message said:

“Your password is too SIMILAR to the one you’ve used previously” [emphasis added]

Even a SINGLE character change in a password should result in a TOTALLY DIFFERENT hash. Because that is what hashes are SUPPOSED to do… generate a VERY DIFFERENT result even for VERY SIMILAR inputs. Otherwise, you risk a hash collision, which is BAD NEWS in this (and other) contexts.

More likely they’re doing some kind of browser-side checking against a retained copy of the plaintext password that was entered at the most-recent login.

How about this: they set up a scenario of “similar” passwords for any user given password. Like “every character is uppercase”, “add 1-9 at the end”, “reverse password”
And then store the hashed variants for these “similar” passwords, maybe 10-20 of them
I really hope that their security guy is against storing plain text in the users database (and yahoo admited that the hashed passwords were stolen)

Let’s say your old password was “1234c”.
Let’s say they only store a hash for that.

Let’s say you offer “1234f” as your replacement password. At this time, they have the replacement plaintext. They can hash a thousand variations of it:
“f4321”, “1234a”..”1234z”, .. if any of these match the hash, then your password is too similar.

“Too similar” has a programmatic definition, and checking it is just applying all such variations to the input and hashing.

Companies rarely invent distinct security systems for alternative brandings of a product. So, I’d assume that they were technically vulnerable too. Whether attackers knew / bothered to target them is a different story.

I believe AT&T is attempting to migrate their subscribers off Yahoo to their own servers. However, getting off Yahoo appears to be a bit complicated for the average user who wants to keep his AT&T account but dump Yahoo. Users should contact AT&T support on that.

I have a client who is an AT&T subscriber who I’ve advised to migrate off Yahoo to Gmail. He has issues with his Yahoo email returning daemon messages. I’ve advised him to contact Yahoo to resolve that issue and forward all his Yahoo mail to Gmail and also install an autoresponder to refer all his email sources to the Gmail account until he can close the Yahoo account.

Is there any way to determine whether any given website might be hosted on a Yahoo-related platform? e.g., if one looked at the “developer tools” in the browser, could the network path back to source host be revealed?

Looks like some other news feeds suggest that any proprietary code may have assisted in the forgery of Yahoo cookies:

The hackers used “forged ‘cookies’” – bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit, wrote Yahoo’s chief information security officer, Bob Lord. The cookies “could allow an intruder to access users’ accounts without a password” by misidentifying anyone using them as the owner of an email account. The breach may be related to theft of Yahoo’s proprietary code, Lord said.

On my iMac a notification says Yahoo password is needed in your internet accounts section. I have one for yahoo home page, but I never requested Yahoo mail address. So I will not enter it. Does anyone know if this notification is coming from Apple? Yahoo? or The bad guys? I recently downloaded Firefox. Could the Fox be asking for it? Does Firefox want us to use yahoo mail? (which I will not do} I only use my comcast email address.

Everything is about money. I will explain it this way. Nobody really cares for efficiency. Important is how much you spend and what statistics are pulled out each month/year. No one really cares for the actual prise of the information received.
And now what, we spend/make billions for spying. We are the best. Everyone is using services from our network and for these billions now we own the net. Really?
And sometimes, somewhere on the globe, appears and idiot to say or make something wrong. These actions require some reaction in order to remind this man, in what kind of position he really is. Which is hard when dealing with stupid people, no matter how much money or power they think they have.
And in this small game someone sent a message like: Your billions don’t count. You alway were and will be more steps behind. Just don’t mess with our affairs or at least play fair.
The same rules apply everywhere, all the media, no exceptions. Media is used like sms, peoples mind really does not matter at all after elections.

I just discovered this Yahoo feature due to this hack hysteria. I don’t believe I have a Yahoo Plus email account whatever that is (the tutorial excerpted below is from a non-yahoo site with no date stamp, so it could be old) just a standard account, and yet this very handy sounding option seems to be available.

Do any other email providers offer this?:

How to Create Disposable Emails on Yahoo!

Time spent deleting and wrangling junk mail can cut into your productivity and even bottom line. That’s where a disposable email address comes in handy. When you download trial software or sign up for an online offer, websites ask you for an email address, which they may share with other companies or flood with junk. If you have a Yahoo Mail Plus account, you can create up to 500 disposable email addresses that you can use without having to worry about giving out your primary addresses. Messages to disposable addresses are color coded and can be delivered to folders you specify, making it easier to identify and delete them.

Here’s a disturbing anecdote regarding AT&T Yahoo accounts. Not sure if all AT&T domains are impacted, but my ancient Prodigy.net account is one of the original AT&T accounts, and I recently received an email from Yahoo informing me of the breach and requesting I change my password immediately. In my case there is a primary Prodigy account, and four sub email accounts, so I need to change five in all.

So I proceed to click the link, request a password reset, get asked a security question or two, then am informed I cannot change my password online and am directed to call AT&T. After calling them and getting wound up in their call tree, a human comes on and ultimately informs me that she will need the last three digits of my AT&T billing account number in order to pass the required security validation. Only one problem: I don’t have that AT&T account anymore as I have moved five times since creating this account and am out of the AT&T service area. I do have an AT&T wireless account that I have maintained throughout this period, but that isn’t recognized by these people.

I request an escalation, get a callback two days later and they ask the same questions and tell me they need those three digits, and that’s that. They didn’t want to hear that I don’t have the account, it was paperless when I did have it (they asked me to call them back when I had located a copy of the bill from five or so years ago), and said they were the last path of escalation. With smoke coming out of my ears I hung up and asked my wife to help me charm them into submission. About two hours later she had reached someone who was willing to get some technical folks involved and change my passwords.

So, for the final scene, I test my new passwords using the web interface, then the POP interface I use on my smartphone. Surprise!!! The password on my POP account hasn’t changed, but the web interface has. Same email account, different protocol. Go figure.

I have no clue how things are cobbled together on the back end of this Yahoo/AT&T system, but it is pretty bad when you cannot change your password without about 4 hours on the phone and two escalations, then only get half of your account changed. I am starting to understand why breaches occur: no one has a clue how things work, so they can’t begin to establish any meaningful risk level.